meta: serialize all ops behind a tokio mutex + clear stale lock at startup

journal showed three concurrent rebuilds racing on the meta repo's .git/index.lock — auto_update::run kicks off parallel tokio::spawn for every stale agent, each rebuild eventually calls into meta::sync_agents / lock_update_for_rebuild which do git add + commit, git isn't safe across concurrent processes on the same .git/, and one of the failing-mid-write children left index.lock behind. subsequent ops blocked until somebody rm'd it manually. fix: static META_LOCK (tokio::sync::Mutex<()>) acquired at the top of every public meta function. concurrent rebuilds take turns on meta ops; the actual nix build (nixos-container update) releases the lock first and runs without it, so parallel agent builds still parallelize on nix-daemon's own concurrency model. migrate::run additionally clears /var/lib/hyperhive/meta/.git/ index.lock on startup if it exists — we just booted, nothing of ours is holding it. covers the 'previous crash left a stale lock' case the user just hit so the daemon recovers without manual intervention.
2026-05-16 02:44:39 +02:00 · 2026-05-16 02:44:39 +02:00 · 78f21ccc5d
commit 78f21ccc5d
parent 3db33b0fe5
3 changed files with 84 additions and 0 deletions
--- a/0001-mcp-wire-extra-server-allowedTools-into-allowedTools.patch
+++ b/0001-mcp-wire-extra-server-allowedTools-into-allowedTools.patch
@ -0,0 +1,55 @@
+From e0b18ff3c2ec5a7f771ab9a1a247ff4a24a8c475 Mon Sep 17 00:00:00 2001
+From: damocles <damocles@hyperhive>
+Date: Sat, 16 May 2026 02:28:21 +0200
+Subject: [PATCH] mcp: wire extra server allowedTools into --allowedTools arg
+
+---
+ hive-ag3nt/src/mcp.rs | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/hive-ag3nt/src/mcp.rs b/hive-ag3nt/src/mcp.rs
+index d8831b4..cb0918a 100644
+--- a/hive-ag3nt/src/mcp.rs
+++ b/hive-ag3nt/src/mcp.rs
+@@ -539,6 +539,8 @@ impl ManagerServer {
+ )]
+ impl ServerHandler for ManagerServer {}
+ 
+
+
+ /// Name of the hyperhive MCP server inside claude's view. Claude prefixes
+ /// tools as `mcp__<this>__<tool>` (e.g. `mcp__hyperhive__send`).
+ pub const SERVER_NAME: &str = "hyperhive";
+@@ -601,7 +603,9 @@ pub fn allowed_mcp_tools(flavor: Flavor) -> Vec<String> {
+ }
+ 
+ /// Combined allow-list passed to `--allowedTools` (auto-approve) — covers
+-/// both the built-ins and the MCP surface.
+/// the built-ins, the hyperhive MCP surface, and any extra MCP servers.
+/// Extra server tools are read from the same `/etc/hyperhive/extra-mcp.json`
+/// file that `render_claude_config` uses, so the two are always in sync.
+ #[must_use]
+ pub fn allowed_tools_arg(flavor: Flavor) -> String {
+     let mut all: Vec<String> = ALLOWED_BUILTIN_TOOLS
+@@ -609,6 +613,18 @@ pub fn allowed_tools_arg(flavor: Flavor) -> String {
+         .map(|s| (*s).to_owned())
+         .collect();
+     all.extend(allowed_mcp_tools(flavor));
+    for (name, spec) in load_extra_mcp() {
+        if name == SERVER_NAME {
+            continue; // already covered above
+        }
+        for tool in &spec.allowed_tools {
+            if tool == "*" {
+                all.push(format!("mcp__{name}__*"));
+            } else {
+                all.push(format!("mcp__{name}__{tool}"));
+            }
+        }
+    }
+     all.join(",")
+ }
+ 
+-- 
+2.51.2
+